Universities, like all public institutions and organizations, are institutions that serve the public. In addition to education and research data; They store personal and sensitive data of students, academics and university employees. Nowadays, when cyber attacks are increasing, data security of universities is becoming equivalent to public security.
In recent years, the data of tens of thousands of students and employees were leaked in data breaches at universities such as Marmara [1], Atatürk [2], Özyeğin [3]. In October 2023, attackers exploited vulnerabilities in Tokat Gaziosmanpaşa University's systems and offered the information of 741 students for sale on the internet. [4] In August 2023, Atatürk University was also subjected to a cyber attack. They carried out the attack by capturing the user information of a staff member and captured the data of 12 thousand people. [2] This situation shows how sensitive universities are to cyber attacks, and also reveals how important universities are in terms of public security.
Reasons for Data Breaches at Universities
We can explain the reasons for data breaches at universities as follows:
- Security Vulnerabilities: Universities can be vulnerable to cyber attacks because they are institutions that often have large and complex networks. Security vulnerabilities can allow malicious actors to infiltrate systems and gain access to sensitive data.
- Inadequacy of Information Security Policies: Inadequate information security policies of universities, failure to determine security standards or failure to take appropriate security measures may pave the way for data breaches.
- Unconscious User Behaviors: Unconscious or non-compliant behaviors among employees and students can increase vulnerability to cyber attacks. For example, not paying attention to basic security principles such as using strong passwords and using up-to-date software may lead to violations.
- Failure to Implement Measures Effectively: In addition to the lack of sufficient economic and technical resources in universities to implement the measures, the inadequacy of manpower to ensure the implementation of these measures leads to the failure to implement many measures. The complex structures of universities, the lack of awareness of university employees and the search for flexibility in accessing and sharing information during education lead to the failure to implement measures effectively in universities.
- Technological Deficiencies: If the information technologies used in universities are not up-to-date or security updates are not made regularly, this may increase potential security risks.
- External Threats: Universities have various sensitive information due to their research, development and innovation activities. This information may become a target for various reasons and may be exposed to external cyber attacks.
- Physical Security Weaknesses: Failure to physically protect the information technology infrastructure may also create a security vulnerability. Inadequate security of computer rooms, server rooms and data centers can lead to violations through physical access.
- Personal Computer Use: When students, faculty members and other staff connect their personal computers to university networks, it is of great importance whether these computers are secure or not. It is necessary to use up-to-date antivirus software and regularly update operating systems. It is important that personal computers are protected in accordance with password policies and that users are aware of security. In this case, it is especially important not to use the personal computers of the institutional staff.
- Application Security: Universities often use various applications, the security of these applications must be ensured. Security updates for these applications should be monitored and applied regularly. The security of applications that provide access to student information, academic records and other sensitive data is extremely important.
- Training and Awareness: Institutional personnel and faculty should be trained and awareness should be raised about computer security. They should be encouraged to be wary of malicious e-mail and phishing attacks and to report suspicious situations.
- Network Security:University networks must be protected by firewalls, secure connection protocols, and other security measures. Additionally, measures such as network traffic monitoring and security incident response capabilities should also be implemented.
- Development and Testing Processes: If there are applications developed and used by the institution, software development processes should be security-oriented. Code reviews, security tests and vulnerability scans should be performed regularly.
The combination of these factors can increase universities' IT security and reduce the risk of data breaches. In this process, security should be considered as a whole and the focus should be not only on network security but also on other measures such as increasing user awareness and application security.
What Can Universities Do to Prevent Violations?
Ensuring cyber security is a legal obligation for universities. All universities are required to comply with cyber security measures in accordance with the Presidential Digital Transformation Office Information and Communication Security Guide (BIGR), which came into force on July 27, 2020, and must submit their audit reports to the Digital Transformation Office by March 1, 2024.
BIGR is a legal system that includes the measures to be followed by public institutions and businesses providing critical infrastructure services in order to reduce and neutralize the security risks encountered in information systems and to ensure the security of critical types of data that may threaten national security or cause disruption of public order, especially when their confidentiality, integrity or accessibility is compromised. It is a guide that provides a general framework to increase the level of information security across the country in terms of regulation. Therefore, it meets all the cyber security needs of universities.
BIGR Measures
- Security Measures for Asset Groups: Networks, systems, applications, portable devices and environments, internet of things (Iot) devices, personnel and physical security measures within universities. These are measures to ensure the security of places. With these measures, universities; It can close security gaps, protect against external threats, and ensure that employees have sufficient knowledge and awareness about information security. It also requires the production of policies that will ensure that all relevant processes occur safely and effectively.
- Security Measures for Application and Technology Areas: Instant messaging, cloud computing, critical infrastructures are secured, as well as recording, processing, protection and destruction of personal data. These are measures that ensure that processes such as deletion or deletion are carried out in a legal and secure manner.
- Tightening Measures: These are the necessary measures to ensure the security of operating systems, databases and servers in universities.
With the increase in internet use and cyber attacks, it has become inevitable for institutions and organizations to take the necessary security measures to protect their data. Universities that have to store data on the internet and provide services to the public are also included in this scope. Since data breaches can lead to serious consequences such as theft of personal data or use by unauthorized persons, it is of great importance for universities to take the necessary measures to ensure data security. Universities must comply with the Information and Communication Security Guide in order to fulfill their information security obligations.
SOURCE
[1] Public Announcement (Data Breach Notification) – Marmara University (KVKK)
https://www.kvkk.gov.tr/Icerik/7451/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Marmara-Universitesi
[2] Public Announcement (Data Breach Notification) – Atatürk University (KVKK)
https://www.kvkk.gov.tr/Icerik/7694/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Ataturk-Universitesi
[3] Public Announcement (Data Breach Notification) – T.R. Özyeğin University (KVKK)
https://www.kvkk.gov.tr/Icerik/6854/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-T-C-Ozyegin-Universitesi-
[4] Public Announcement (Data Breach Notification) – Tokat Gaziosmanpaşa University (KVKK)
https://kvkk.gov.tr/Icerik/7722/Kamuoyu-Duyurusu-Veri-Ihlali-Bildirimi-Tokat-Gaziosmanpasa-Univers
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.